Professional Documents
Culture Documents
Cyber Security & Digital Forensics-Lec2
Cyber Security & Digital Forensics-Lec2
forensics
Lecture two
Access Control and ACLs
• An access control system is the set of technical controls that govern how
subjects may interact with objects.
• Subjects in this sense are users or software processes or anything else that can
request and be granted access to a resource.
• Objects are the resources; these could be networks, servers, databases, files,
and so on.
• In computer security, the basis of access control is usually an Access Control
List (ACL). This is a list of subjects and the rights or permissions they have
been granted on the object. An access control system is usually described in
terms of four main processes:
Cont’d…..
• Identification - creating an account or ID that identifies the user or process
on the computer system.
• ■ Authentication - proving that a subject is who or what it claims to be when
it attempts to access the resource.
• ■ Authorization - determining what rights subjects should have on each
resource and enforcing those rights.
• ■ Accounting - tracking authorized and unauthorized usage of a resource.
Cont’d….
• For example, if you are setting up an ecommerce site and want to enroll
users, you need to select the appropriate controls to perform each
function:
• ■ Identification - you need to ensure that customers are legitimate. You
might need to ensure that billing and delivery addresses match for
instance and that they are not trying to use fraudulent payment methods.
• ■ Authentication - you need to ensure that customers have unique
accounts and that only they can manage their orders and billing
information.
• ■ Authorization - you need rules to ensure customers can only place
orders when they have valid payment mechanisms in place. You might
operate loyalty schemes or promotions that authorize certain customers
to view unique offers or content.
• ■ Accounting - the system must record the actions a customer takes.
IDENTIFICATION
• Identification associates a particular user (or software process) with an
action performed on a network system.
• Authentication proves that a user or process is who it claims to be
(that is, that someone or something is not masquerading as a genuine
user). Identification and authentication are vital first steps in the access
control process:
■ To prove that a user is who s/he says s/he is. This is important because
access should only be granted to valid users (authorization).
■ To prove that a particular user performed an action (accounting). This
is important because a user should not be able to deny what they have
done (non-repudiation).
Continued…….
• A subject is identified on a computer system by an account.
• An account consists of an identifier, credentials, and a profile.
• An identifier must be unique. For example, in Windows a subject may be
identified by a username to system administrators and users but is actually
defined on the system by a Security Identifier (SID) string. If the user account
was deleted and another account with the same name subsequently created, the
new account would have a new SID and therefore not inherit any of the
permissions of the old account.
• "Credentials" means the information used to authenticate a subject when it tries
to access the user account. This information could be a username and password
or smart card and PIN code.
• The profile is information stored about the subject. This could include name and
contact details and also group memberships.
Issuance / Enrollment
• Issuance (or enrollment) are the processes by which a subject's credentials are
recorded and issued and linked to the correct account and by which the account
profile is created and maintained. Some of the issues involved are:
• ■ Identity proofing - verifying that subjects are who they say they are at the time
the account is created. Attackers may use impersonation to try to infiltrate a
company without disclosing their real identity.
• Identity proofing means performing background and records checks at the time
an account is created.
• Websites that allow users to self-register typically employ a CAPTCHA
(Completely Automated Public Turing Test to Tell Computers and Humans
Apart).
• A CAPTCHA is usually a graphic or audio of some distorted letters and digits.
This prevents a software process (bot) creating an account.
Cont’d……………
• Ensuring only valid accounts are created - for example preventing the creation of
dummy accounts or accounts for employees that are never actually hired.
• The identity issuance process must be secured against the possibility of insider
threats (rogue administrative users). For example, a request to create an account
should be subject to approval and oversight.
• ■ Secure transmission of credentials - creating and sending an initial password
securely.
• Again, the process needs protection against snooping and rogue administrative
staff. Newly created accounts with simple or default passwords are an easily
exploitable "backdoor".
• ■ Revoking the account if it is compromised or no longer in use.
Identity Management
• Identity management refers to the issues and problems that must be overcome in
implementing the identification and authentication system across different
networks and applications.
• A particular subject may have numerous "digital identities", both within and
without the company.
• On a personal level, managing those identities is becoming increasingly difficult,
forcing users into insecure practices, such as sharing passwords between different
accounts.
Identity management……
• These difficulties can be mitigated by two techniques:
• ■ Password reset - automating the password reset process reduces the
administration costs associated with users forgetting passwords, but making
the reset process secure can be problematic.
• ■ Single sign-on - this means that all network resources and applications
accept the same set of credentials, so the subject only needs to authenticate
once per session(Kerberos)
• This requires application compatibility and is difficult to make secure or
practical across third-party networks.
Authentication
• Assuming that an account has been created securely (the identity of the account
holder has been verified), authentication verifies that only the account holder is
able to use the account (and that the system may only be used by account
holders).
• Authentication is performed when the account holder supplies the appropriate
credentials to the system. These are compared to the credentials stored on the
system. If they match, the account is authenticated. There are many different
technologies for defining credentials. They can be categorized as the following
factors:
• ■ Something you know (such as a password).
• ■ Something you have (such as a smart card).
• ■ Something you are (such as a fingerprint).
Something You Know Authentication
• The typical "something you know" technology is the log on:
this comprises a username and a password. The username is typically not a
secret (though it doesn't do to go round publishing it) but the password must be
known only to the account holder.
A passphrase is a longer password comprising a number of words. This has the
advantages of being more secure and easier to remember.
A Personal Identification Number (PIN) is another example of something you
know.
Personally Identifiable Information (PII)-something
you know
Logs
Accounting is generally performed by logging actions automatically. All NOS and
many applications and services can be configured to log events.
logs
• Logging generally needs to be enabled and configured by the administrator. The main
decision is which events to record. Logs serve the following two general purposes:
• ■ Accounting for all actions that have been performed by users. Change and version
control systems depend on knowing when a file has been modified and by whom.
• Accounting also provides for non-repudiation (that is, a user cannot deny that they
accessed or made a change to a file). The main problems are that auditing successful
access attempts can quickly consume a lot of disk space and analyzing the logs can be
very time consuming.
• ■ Detecting intrusions (or attempted intrusions). Here records of failure-type events are
likely to be more useful, though success-type events can also be revealing if they show
unusual access patterns.
logs
• Obviously, the more events that are logged, the more difficult it is to analyze and
interpret the logs.
• Also, logs can take up a large amount of disk space. When a log reaches its
allocated size, it will start to overwrite earlier entries.
This means that some system of backing up logs will be needed in order to preserve
a full accounting record to points in time. It is also critical that the log files be kept
secure, so that they cannot be tampered with.
Insider threats are particularly pertinent here as rogue administrators could try to
doctor the event log to cover up their actions.
Surveillance
• Surveillance is a means of accounting for physical access to a system
(though electronic surveillance can also detect when a user accesses a
computer system).
• Surveillance is also a type of access control, as it acts as a deterrent to
those who would otherwise attempt to penetrate the system or those
who want to carry out a fraud or mis use information or misuse the
system
Incident Reporting
• Incident reporting means informing the relevant person that there has been a
security breach.
• An Auditing software might do this automatically (for example, by emailing the
administrator).
• For situations not covered by software, there needs to be a clear policy for
employees to follow:
• ■ What is an incident?
• What should I report?
• ■ To whom do I make the report?
• ■ How quickly should I report an incident?
• E.g a malware attack or DOS attack
Answer these questions to test what you have learned in this unit.